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IN THE CLAIMS 

1. (Previously Presented) A computer-implemented method for maintaining 
computer security, comprising: 

providing a database of known good software; 
providing a database of unfamiliar software; 
opening a file; 

identifying the file being opened; 

determining, using a central processing unit, whether an entry exists in the database of 
known good software for the identified file; 

determining, using the central processing unit, whether an entry exists in the database 
of unfamiliar software for the identified file; 

moving the entry from the database of unfamiliar software to the database of known 
good software if it is determined that the entry has been in the database of unfamiliar 
software for a predetermined period of time; and 

performing at least one of allowing and preventing the opening of the file from 
continuing based on the result of the determination of whether the entry exists in the database 
of known good software. 

2. (Original) The method of claim 1, wherein the file comprises an executable 

file. 

3. (Original) The method of claim 2, wherein the executable file comprises an 
application. 

4. (Original) The method of claim 1, wherein identifying the file being opened 
comprises determining a unique value of the file, the unique value being a hash value 
generated according to a hashing algorithm and comparing the unique value to entries in the 
database of known good software. 
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5. (Original) The method of claim 4, wherein the performing at least one of 
allowing and preventing the opening of the file from continuing comprises allowing the file 
to continue to be opened if it is determined that the determined unique value corresponds to 
an entry in the database of known good software. 

6. (Cancelled) 

7. (Previously Presented) The method of claim 1, further comprising providing 
date stamp information for each entry in the database of unfamiliar software indicating a date 
on which the entry was first made. 

8. (Previously Presented) The method of claim 1, further comprising providing a 
value for each entry in the database of unfamiliar software indicating a number of times a file 
corresponding to the entry was opened. 

9. (Original) The method of claim 8, wherein the value comprises the number of 
times an executable in a file has been executed. 

10. (Previously Presented) The method of claim 7, further comprising 
determining an amount of time an entry has been in the database of unfamiliar software by 
comparing the date stamp information with a current date. 

11. (Cancelled) 

12. (Previously Presented) The method of claim 1, further comprising adding an 
entry to the database of unfamiliar software if an entry for the identified file is not found in at 
least one of the database of known good software and the database of unfamiliar software. 

13. (Previously Presented) The method of claim 1, further comprising placing at 
least one operating system call hook if it is determined that an entry exists in the database of 
unfamiliar software. 
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14. (Previously Presented) The method of claim 13, wherein the operating system 
call hook notifies a Trojan notification service that a file corresponds to an entry in the 
database of unfamiliar software. 

15. (Previously Presented) The method of claim 14, wherein the Trojan 
notification service prompts a user for input regarding whether the operating system call 
should be passed along. 

16. (Original) The method of claim 15, wherein opening of the file is allowed to 
proceed if the operating system call is passed along. 
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17. (Previously Presented) A system for maintaining computer security, 
comprising: 

a database of known good software; 
a database of unfamiliar software; 

one or more central processing units operable to execute: 
a system for opening a file; 
a system for identifying the file being opened; 

a system for determining whether an entry exists in the database of known 
good software for the identified file; 

a system for determining whether an entry exists in the database of unfamiliar 
software for the identified file; 

a system for moving the entry from the database of unfamiliar software to the 
database of known good software if it is determined that the entry has been in the database of 
unfamiliar software for a predetermined period of time; and 

a system for performing at least one of allowing and preventing the opening of 
the file from continuing based on the result of the determination of whether the entry exists in 
the database of known good software. 

18. (Original) The system of claim 17, wherein the file comprises an executable 

file. 

19. (Original) The system of claim 18, wherein the executable file comprises an 
application. 

20. (Original) The system of claim 17, wherein the system for identifying the file 
being opened comprises a system for determining a unique value of the file, the unique value 
being a hash value generated according to a hashing algorithm and a system for comparing 
the unique value to entries in the database of known good software. 



DAL01: 11 09994.1 



ATTORNEY DOCKET NO. 
063170.6962 



6 



PATENT APPLICATION 
USSN 10/830,127 



21. (Original) The system of claim 20, wherein the system for performing at least 
one of allowing and preventing the opening of the file from continuing comprises a system 
for allowing the file to continue to be opened if it is determined that the determined unique 
value corresponds to an entry in the database of known good software. 

22. (Cancelled) 

23. (Previously Presented) The system of claim 17, further comprising a system 
for providing date stamp information for each entry in the database of unfamiliar software 
indicating a date on which the entry was first made. 

24. (Previously Presented) The system of claim 17, further comprising a system 
for providing a value for each entry in the database of unfamiliar software indicating a 
number of times a file corresponding to the entry was opened. 

25. (Original) The system of claim 24, wherein the value comprises the number of 
times an executable in a file has been executed. 

26. (Previously Presented) The system of claim 23, further comprising a system 
for determining an amount of time an entry has been in the database of unfamiliar software 
by comparing the date stamp information with a current date. 

27. (Cancelled) 

28. (Previously Presented) The system of claim 17, further comprising a system 
for adding an entry to the database of unfamiliar software if an entry for the identified file is 
not found in at least one of the database of known good software and the database of 
unfamiliar software. 

29. (Previously Presented) The system of claim 17, further comprising a system 
for placing at least one operating system call hook if it is determined that an entry exists in 
the database of unfamiliar software. 
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30. (Previously Presented) The system of claim 29, wherein the operating system 
call hook notifies a Trojan notification service that a file corresponds to an entry in the 
database of unfamiliar software. 

31. (Previously Presented) The system of claim 30, wherein the Trojan 
notification service prompts a user for input regarding whether the operating system call 
should be passed along. 

32. (Original) The system of claim 31, wherein opening of the file is allowed to 
proceed if the operating system call is passed along. 
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33. (Currently Amended) A tangible program storage device comput e r r e adable 
storag e m e dium including computer executable code for maintaining computer security, 
comprising: 

code for providing a database of known good software; 
code for providing a database of unfamiliar software; 
code for opening a file; 
code for identifying the file being opened; 

code for determining whether an entry exists in the database of known good software 
for the identified file; 

code for determining whether an entry exists in the database of unfamiliar software 
for the identified file; 

code for moving the entry from the database of unfamiliar software to the database of 
known good software if it is determined that the entry has been in the database of unfamiliar 
software for a predetermined period of time; and 

code for performing at least one of allowing and preventing the opening of the file 
from continuing based on the result of the determination of whether the entry exists in the 
database of known good software. 

34. (Currently Amended) The program storage device computer recording 
medium of claim 33, wherein the file comprises an executable file. 

35. (Currently Amended) The program storage device comput e r recording 
medium of claim 34, wherein the executable file comprises an application. 

36. (Currently Amended) The program storage device comput e r recording 
medium of claim 33, wherein the code for identifying the file being opened comprises code 
for determining a unique value of the file, the unique value being a hash value generated 
according to a hashing algorithm and code for comparing the unique value to entries in the 
database of known good software. 
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37. (Currently Amended) The program storage device computer r e cording 
medium of claim 36, wherein the code for performing at least one of allowing and preventing 
the opening of the file from continuing comprises code for allowing the file to continue to be 
opened if it is determined that the determined unique value corresponds to an entry in the 
database of known good software. 

38. (Cancelled) 

39. (Currently Amended) The program storage device comput e r recording 
medium of claim 33 , further comprising code for providing date stamp information for each 
entry in the database of unfamiliar software indicating a date on which the entry was first 
made. 

40. (Currently Amended) The program storage device computer recording 
medium of claim 33 , further comprising code for providing a value for each entry in the 
database of unfamiliar software indicating a number of times a file corresponding to the entry 
was opened. 

41. (Currently Amended) The program storage device computer r e cording 
m e dium of claim 40, wherein the value comprises the number of times an executable in a file 
has been executed. 

42. (Currently Amended) The program storage device comput e r recording 
medium of claim 39, further comprising code for determining an amount of time an entry has 
been in the database of unfamiliar software by comparing the date stamp information with a 
current date. 



43. 



(Cancelled) 
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44. (Currently Amended) The program storage device computer recording 
medium of claim 33, further comprising code for adding an entry to the database of 
unfamiliar software if an entry for the identified file is not found in at least one of the 
database of known good software and the database of unfamiliar software. 

45. (Currently Amended) The program storage device computer r e cording 
medium of claim 33, further comprising code for placing at least one operating system call 
hook if it is determined that an entry exists in the database of unfamiliar software. 

46. (Currently Amended) The program storage device comput e r recording 
m e dium of claim 45, wherein the operating system call hook notifies a Trojan notification 
service that a file corresponds to an entry in the database of unfamiliar software. 

47. (Currently Amended) The program storage device computer recording 
medium of claim 46, wherein the Trojan notification service prompts a user for input 
regarding whether the operating system call should be passed along. 

48. (Currently Amended) The program storage device comput e r r e cording 
medium of claim 47, wherein opening of the file is allowed to proceed if the operating system 
call is passed along. 

49. (Previously Presented) The method of claim 1, wherein a sufficient period of 
time comprises a month or longer. 

50. (Previously Presented) The method of claim 8, further comprising moving the 
entry from the database of unfamiliar software to the database of known good software if the 
number of times the file corresponding to the entry was opened is greater than a baseline 
value. 

5 1 . (Previously Presented) The system of claim 1 7, wherein a sufficient period of 
time comprises a month or longer. 



DAL01: 1109994.1 



ATTORNEY DOCKET NO. 
063170.6962 



11 



PATENT APPLICATION 
USSN 10/830,127 



52. (Previously Presented) The system of claim 24, further comprising a system 
for moving the entry from the database of unfamiliar software to the database of known good 
software if the number of times the file corresponding to the entry was opened is greater than 
a baseline value. 

53. (Previously Presented) The system of claim 17, further comprising a 
processor. 

54. (Currently Amended) The program storage device comput e r recording 
medium of claim 33, wherein a sufficient period of time comprises a month or longer. 

55. (Currently Amended) The program storage device computer recording 
m e dium of claim 40, further comprising code for moving the entry from the database of 
unfamiliar software to the database of known good software if the number of times the file 
corresponding to the entry was opened is greater than a baseline value. 
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56. (Previously Presented) A computer-implemented method for computer 
security, comprising: 

identifying a file; 

determining, using a central processing unit, whether an entry for the file exists in 
database of unfamiliar software; 

determining, using the central processing unit, quantitative information regarding the 
file, the quantitative information selected from the group consisting of a length of time the 
entry has been in the database of unfamiliar software, a number of times the file has been 
opened, and a number of times an executable in the file has been executed; 

adding the entry for the file to a database of known good software if the quantitative 
information exceeds a predetermined value; and 

allowing the opening of the file to continue if the database of known good software 
includes the entry for the file. 

57. (Previously Presented) The method of claim 56, further comprising removing 
the entry for the file from the database of unfamiliar software if the quantitative information 
exceeds a predetermined value. 

58. (Previously Presented) The method of claim 56, further comprising 
preventing the opening of the file to continue if: 

the database of known good software does not include the entry for the file; and 
the file attempts a suspicious activity. 

59. (Previously Presented) The method of claim 58, wherein a suspicious activity 
comprises updating a registry. 

60. (Previously Presented) The method of claim 58, wherein a suspicious activity 
comprises opening a second file. 
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